b"                     AUDIT REPORT\n                        13-06\n\n\n\n\nOpportunities Exists to Reduce Costs Associated with Oracle\n                    Software Licensing\n\n                     March 29, 2013\n\x0cDate\nMarch 29, 2013\nTo\nChief Information Officer\nFrom\nInspector General\nSubject\nAudit Report \xe2\x80\x93 Opportunities Exist to Reduce Costs Associated with Oracle Software\nLicensing\nReport Number 13-06\n\nEnclosed please find the subject final report. Please refer to the \xe2\x80\x9cResults in Brief\xe2\x80\x9d for\nthe overall audit results. Our evaluation of your response has been incorporated\ninto the overall body of the report. We consider management\xe2\x80\x99s comments\nresponsive to all of the recommendations. The recommendations are resolved and\nwill remain open for reporting purposes pending our verification of the completion\nof the agreed-upon corrective actions.\n\nIf you have any questions or comments about this report, please do not hesitate to\ncontact me at (202) 512-0039.\n\n\n\nMICHAEL A. RAPONI\nInspector General\n\nEnclosure\n\ncc:\nActing Public Printer\nAssistant Public Printer, Operations\nGeneral Counsel\n\x0cContents\n\nIntroduction ................................................................................................................................................. 1\n\nResults in Brief ............................................................................................................................................ 2\n\nBackground .................................................................................................................................................. 4\n\nResults and Recommendations ............................................................................................................ 10\n\nAppendix A \xe2\x80\x93 Objectives, Scope, and Methodology ...................................................................... 19\n\nAppendix B \xe2\x80\x93 Products with Both Processor and User Licenses ............................................. 21\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response ............................................................................................ 24\n\nAppendix D - Status of Recommendations ....................................................................................... 26\n\nAppendix E - Report Distribution ........................................................................................................ 27\n\nMajor Contributors.................................................................................................................................... 28\n\x0c                         Office of Inspector General\n\nReport Number 13- 06                                     March 29, 2013\n\n    Opportunities Exists to Reduce Costs Associated with Oracle\n                        Software Licensing\n\nIntroduction\n\nOIG initiated an audit to identify any major instances of potential duplication and\noverlap of Oracle modules and licenses present and if so, what controls could be\nstrengthened to mitigate the condition. This is a follow-on audit related to work we\nconducted of GPO\xe2\x80\x99s Enterprise Architecture in 2012 in which OIG reported that\nwithout a matured Enterprise Architecture, GPO assumes the risk that it will invest\nin Information Technology that is duplicative, not well integrated, costly, not\nsupportive of the agency's strategic goals and mission, or not responsive to\nemerging technologies.\n\nIn Fiscal Year (FY) 2013, GPO reported it will spend approximately $3.2 million on\nOracle licenses. Today, in addition to an expanded role in Finance and\nAdministration, GPO uses Oracle to support Business Units such as Plant Operations,\nLibrary Services and Content Management, Security and Intelligent Documents, and\nCustomer Services. GPO has executed four key contracts with Mythics, an Oracle\nresale partner that represents the entire Oracle product line of software, support,\nhardware, engineered systems, and appliances.\n\nGPO has long recognized the need to modernize its information systems and replace\nunsustainable legacy systems. GPO decided to standardize the Oracle Enterprise\nSuite of commercial off-the-shelf (COTS) products as its enterprise software solution\nof choice and overall technological foundation to replace its legacy systems. The\nOracle Enterprise Suite is a suite of more than 150 integrated software modules for\nfinancial management, supply-chain management, manufacturing, project systems,\nhuman resources, and sales-force automation. GPO began its initial efforts to\nreplace legacy systems with the procurement and implementation of three Oracle\nFederal Financials modules between 1998 and 2001. Since inception, GPO has\ngreatly expanded its use of Oracle modules.\n\nGPO\xe2\x80\x99s policy requires that the Chief Information Officer establish operations and\ncomputer support as a part of the security program. Operations planning and\ncomputer support includes software license management. GPO policy also\nestablishes the Architecture Review Board (ARB). The ARB, in part, reviews\nbusiness and system initiatives for compliance with GPO Enterprise Architecture to\nsupport interoperability and data sharing and minimize redundancy.\n\n\n                                         1\n\x0cWhile the areas identified in our report are not intended to represent the full\nuniverse of Oracle licenses, we conducted a systematic examination across GPO to\nidentify major uses of Oracle licenses. In most cases, GPO provided technical\ndocumentation associated with each license. We examined the major functions of\neach Oracle purchase order and how it relates to GPO. We reviewed policies and\nprocedures in place as of March 2013. We reviewed acquisition reports, purchase\norders, itemized invoices for FY 2013. To gain an understanding of GPO\xe2\x80\x99s processes\nrelated to the purchase of Oracle licenses, we performed a walk-through of\napplicable processes with GPO staff. We interviewed key management officials from\nthe GPO Office of Finance and Administration, the Office of Acquisitions, the Office of\nthe Chief Information Officer, and the Security and Intelligent Documents Unit\nresponsible for establishing and monitoring the acquisitions process; and reviewing\nand approving the purchases.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence that provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Our objective, scope, methodology, and criteria are\ndetailed in Appendix A.\n\nResults in Brief\n\nThe audit disclosed that GPO has worked toward modernizing information systems\nin which Oracle products play a key role. However, given that GPO will spend\napproximately $3.2 million on Oracle licenses in FY 2013, further analysis is\nnecessary to ensure all current Oracle licenses and products are needed.\n\nFor example, we identified 14 instances where GPO pays for both an application\nuser license and processor license for the same Oracle products costing $301,547.\nWe noted GPO uses Oracle on Demand hosting for its e-Passport production to\nmaintain standby databases, a master repository, and the NetApp Snap Mirror\ncosting GPO $583,693 when a less expensive alternative may be available. We also\nidentified excess user licenses and processor licenses, which may result is cost\nsavings. We attribute these instances to nonexistence of policies and procedures for\nsoftware license management and an incomplete inventory of Oracle products that\ncrosswalks to GPO applications. As a result, GPO may be paying for excess and\nduplicate Oracle licenses and products.\n\nRecommendations\n\nThe OIG recommended that the Chief Information Officer mitigate risks of\npotentially investing in duplicative licenses by (1) developing and implementing\nprocesses, policies and procedures to address goals and objectives of software\n\n                                           2\n\x0clicense management program, (2) conducting an assessment of the current Oracle\nsoftware licenses and Oracle products vs. GPO requirements to determine the\ncorrect license and product mix and make the necessary adjustments, and (3)\nrevising the current inventory listing to include a crosswalk from major Oracle COTS\nsoftware products to GPO applications.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurred with the recommendations and has planned corrective\nactions. The complete text of management\xe2\x80\x99s response is in Appendix C.\n\n\n\n\n                                         3\n\x0cBackground\n\nGPO senior managers have long realized that GPO must effectively manage its\nportfolio of capital assets, including software licenses, to ensure that scarce public\nresources are wisely invested. This includes software licenses in support of in-\nhouse production and procurement services for Congress and federal agencies,\npassport production, smart cards, the Federal Digital System (FDsys), the Federal\nDepository Library Program (FDLP), financial management, acquisition\nmanagement, and human capital management.\n\nGPO has four major Oracle license agreements at a cost of approximately $3.2\nmillion. The environment used by end users for business or other operations is\ncalled a production environment. The four major Oracle license agreements\nsupport GPO\xe2\x80\x99s production environment. The license agreements are illustrated in\nTables 1 below.\n\n Table 1. Major Oracle Licenses\n    Purchase\n      Order                                                                                Fiscal Year\n     Number                     Purpose                              Service               2013 Cost\n    3014792                    Stennis MS                                                     $583,693\n                                                          Oracle On Demand (Note 1)\n                           Passport Production\n    3014770             D.C. Passport Production,           Internal Oracle Database          $680,000\n                    Identity Management, and FDsys           Enterprise Edition and\n                                                                  Applications\n                                                                    (Note 2)\n    3015018            Government Printing Office                                           $1,055,827\n                                                               Oracle On Demand\n                      Business Information System\n    3015200         Support for Government Printing         Internal Oracle Database          $921,824\n                       Office Business Information           Enterprise Edition and\n                            System On Demand                      Applications\n    Total Cost                                                                              $3,241,344\n\n Note 1. On Demand services refers to a software-as-a-service that allows GPO to have Oracle\n applications, databases, and supporting Information Technology infrastructure managed by Oracle. The\n Oracle software is hosted at an Oracle data center in Austin, Texas.\n\n Note 2. Internal services refer to the Oracle software and Information Technology infrastructure\n managed and hosted by GPO.\n\nThe Oracle Enterprise Edition and Applications is a suite of more than 150\nintegrated software modules for financial management, supply-chain management,\nmanufacturing, project systems, human resources, and sales-force automation. The\nmodules vary in size and complexity. The general classifications within the Oracle\nenterprise Suite consist of: 1) the Customer Relationship Management module\nwhich covers the Marketing, Sales, and Service functions, 2) the Financials modules\nwhich cover the general ledger and associated financial accounting modules, 3) the\nSupply Chain Management module which addresses distribution\xe2\x80\x94getting materials\nfrom suppliers to customers, 4) the Manufacturing modules which affect product\n\n                                                    4\n\x0cdesign and manufacture, 5) the Human Resources modules which support the\nadministration of human capital, such as compensation and training for\norganizational needs in terms of hiring, benefits, and reviews of employees, and 6)\nthe Projects module which provides for various project management activities.\n\nModernizing GPO\xe2\x80\x99s Information Systems\n\nIn an effort to modernize and support GPO\xe2\x80\x99s Enterprise Architecture, GPO acquired\nproduct licenses for use with Oracle applications. GPO began its initial efforts to\nreplace legacy systems with the procurement and implementation of three Oracle\nFederal Financials modules i.e., General Ledger, Accounts Receivables and Fixed\nAssets. GPO implemented those three modules between 1998 and 2001.\n\nGPO launched the GPO Enterprise Program in 2004 to replace unsustainable legacy\nsystems. This major project has been progressively implementing modern\napplication systems that support GPO business and support units.\n\nIn 2007, the Government Printing Office Business Information System (GBIS), as a\ncontinuation of this modernization project, was acquired. This was an additional\nacquisition of product licenses. GBIS replaced mainframe software placed into\noperation more than 30 years ago. In 2008, GPO acquired additional Business\nObjects licenses for use with Oracle applications. Business Objects will provide\nseamless reporting functionality from GBIS.\n\nGPO's Oracle financial system\xe2\x80\x93GBIS\xe2\x80\x93went live in May 2009. Also, GPO decided to\nstandardize its reporting environment using the business intelligence tool Business\nObjects. At that time, over 100 reports were developed to bring visibility to all\naspects of the data stored in GBIS. These reports, available in public folders, are\nbeing used to evaluate and address deficiencies.\n\nIn 2010, GPO upgraded to a new Oracle application server (WebLogics) in support\nof FDsys.\n\nIn 2011, GPO pursued the migration of several key legacy FDLP systems. The\nmigration and modernization of these systems were in support of GPO\xe2\x80\x99s growth and\nefficiency in service to Federal depository libraries and the public. At the end of\nfiscal 2011, the Library Information System Transformation Project to migrate three\nseparate legacy systems to one platform was underway. The project utilized Oracle\nEnterprise Architecture applications to replace the Depository Distribution and\nInformation System\xe2\x80\x99s Item Lister functionality in the Library Services and Content\nManagement business unit.\n\nOracle was further developed to provide the connection between the National\nFinance Center (NFC), GPO's payroll processor, and GPO\xe2\x80\x99s hosted system at Oracle\xe2\x80\x99s\ndata center.\n\n\n                                          5\n\x0cToday, in addition to an expanded role in Finance and Administration, GPO uses\nOracle to support Business Units such as Plant Operations, Library Services and\nContent Management, Security and Intelligent Documents, and Customer Services.\nGPO uses Oracle General Ledger, Oracle Fixed Assets, Oracle Public Sector Payables,\nOracle Receivables, Oracle Purchasing, Oracle Inventory Management, Oracle Order\nManagement, Oracle Project (Work-in-progress), and Oracle to support Library\nServices.\n\nSelect Federal Guidance and Legislation\n\nClinger-Cohen Act\n\nCongress enacted the Information Technology Management Reform Act of 1996 (known\nas the Clinger-Cohen Act 1) to address longstanding problems related to federal\nInformation Technology management. The Clinger-Cohen Act requires the head of each\nfederal agency to implement a process that maximizes the value of agency Information\nTechnology investments and assesses and manages acquisition risks. A key goal of the\nAct is to ensure that agencies implement Information Technology projects at acceptable\ncosts and within reasonable timeframes. The Clinger-Cohen Act assigns to the head of\nan executive agency the responsibility to develop a capital planning and investment\ncontrol process that will provide for the selection, management, and evaluation of\ninvestments.\n\nOffice of Management and Budget (OMB) Circular A-130 (A-130)\n\nOMB Circular A-130 2 requires that agencies establish and maintain a capital planning\nand investment control process that links mission needs, information, and information\ntechnology in an effective and efficient manner. A-130 divides the process into the\nSelect, Control, and Evaluate stages.\n\nGPO Directives\n\nGPO Directive 705.31, \xe2\x80\x9cGPO Enterprise Architecture Policy\xe2\x80\x9d, dated December 8,\n2008, established the ARB. The ARB, in part, reviews business and system initiatives\nfor compliance with GPO Enterprise Architecture to support interoperability and\ndata sharing and minimize redundancy. The Chief Information Officer designates the\nChief Architect or the Chief Information Officer\xe2\x80\x99s designee to chair the ARB.\nMembership of this standing board includes Operational Managers from Business\nUnits, Support Organizations, Office of the Chief Information Officer, and\nInformation Technology Security. Additional members are selected on an as-needed\nbasis (i.e. subject matter experts, project managers, etc.).\n\n\n\n1\n  Public Law No. 104-106, Division E, February 10, 1996. The law, initially titled the Information Technology Management Reform\nAct of 1996, was subsequently renamed the Clinger-Cohen Act of 1996 in P. L. 104-208, September 30, 1996.\n2\n  OMB, Management of Federal Information Resources, Circular No.A-130 (Nov. 28, 2000).\n\n                                                               6\n\x0cGPO Directive 825.33B, \xe2\x80\x9cInformation Technology Security Program Statement of\nPolicy,\xe2\x80\x9d May 24, 2011, establishes a set of controls to safeguard agency Information\nTechnology processes and information, and also assigns responsibilities and\naccountability to provide reasonable assurance for the protection of system\nresources against fraud, waste, abuse, disaster, mismanagement, or compromise.\nGPO\xe2\x80\x99s policy, in part, states the Chief Information Officer will establish operations\nand computer support as a part of the security program. Operations planning and\ncomputer support will address loading and executing new software; use of system\nutility software; authorizations required for system changes and software license\nmanagement.\n\nChief Information Officer Council\n\nIn September 1999, the Federal Chief Information Officer Council 3 published the Federal\nEnterprise Architecture Framework to provide Federal agencies with a common construct\nfor their architectures, and facilitate the coordination of system investments among\nFederal agencies. The Enterprise Architecture (EA) provides guidance and source\ninformation for requirements analysts, designers, engineers, and test planners to reference\nand builds upon management executing their responsibilities. EA is a resource for\nmanaging inventory, routine maintenance, and queries. Analysis of the baseline\narchitecture can identify opportunities for consolidating network services, floating or site\nsoftware licenses, and economies of scale for equipment and services.\n\nExecutive Order 13103\n\nExecutive Order 13103, Computer Software Piracy, requires that Federal agencies\nestablish procedures to ensure compliance with established computer software\nlicensing laws and regulations.\n\nAlthough not subject to the Clinger-Cohen Act, OMB Circular A-130, and Executive\nOrders, GPO generally adopts similar standards and operating procedures because it\nis consistent with GPO\xe2\x80\x99s mission and strategic goals.\n\nInternal Control Requirements\n\nThe Government Accountability Office (GAO) Standards for Internal Controls in the\nFederal Government, November 1999, requires ongoing monitoring in the course of\nnormal operation. Internal controls are performed continuously and ingrained in an\nAgency\xe2\x80\x99s operations. GAO\xe2\x80\x99s standards include regular management and supervisory\nactivities, comparisons, reconciliations, and other actions people take in performing\ntheir duties. Those standards require the use of control activities described below:\n\n\n\n3\n The Chief Information Officer Council is the principal interagency forum on the\nimprovement of agency practices related to use of Federal information resources.\n                                             7\n\x0cControl activities are the policies, procedures, techniques, and mechanisms that\nenforce management\xe2\x80\x99s directives, such as the process of adhering to requirements\nor budget development and execution. They help ensure that actions are taken to\naddress risks. Control activities are an integral part of an entity\xe2\x80\x99s planning,\nimplementing, reviewing, and accountability for stewardship of Government\nresources and achieving effective results.\n\nOMB Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, dated\nDecember 21, 2004, requires that managers develop and maintain effective internal\ncontrols. Effective internal controls provide assurance that significant weaknesses\nin the design or operation of internal controls that could adversely affect an agency\xe2\x80\x99s\nability to meet its objectives would be prevented or detected in a timely manner.\n\nAs a legislative branch agency GPO is not required to follow OMB Circulars,\nincluding Circulars A-123. However, since those Circulars provide a sound basis for\ninternal controls for any organization, GPO has incorporated the major\nrequirements of Circulars A-123 in its directives.\n\nPrior Reports Highlighted Risks with Information Technology Investments\n\nWe identified two reports that are relevant to this audit. In 2012, OIG conducted an\naudit to determine to what extent GPO had assurance that its Enterprise\nArchitecture was used to guide and constrain ongoing development and support of\nGPO\xe2\x80\x99s strategic transformation. We noted that efforts to develop a fully mature\nEnterprise Architecture had been underway since 2008. GPO developed and\nimplemented an Enterprise Architecture policy, created the Enterprise Architecture\nProgram Office, appointed a Chief Architect, uses an automated tool that contains\nreference models to assist in developing an Enterprise Architecture, and from 2008\nto 2010 established an ARB. In 2010, GPO performed a self-assessment using GAO\xe2\x80\x99s\nframework and determined a maturity level of Stage 4 in the GAO framework. The\nhighest level of maturity is Stage 6. Stage 4 represents completing and using an\ninitial Enterprise Architecture version for targeted results.\n\nOIG reported that without a matured Enterprise Architecture, GPO assumes the risk\nthat it will invest in Information Technology that is duplicative, not well integrated,\ncostly, not supportive of the agency's strategic goals and mission, or not responsive\nto emerging technologies.\n\nIn 2004, GAO conducted a review in response to both a mandate requiring GAO to\nexamine the state of printing and dissemination of public government information\nand a congressional request that GAO conduct a general management review of GPO\nfocusing on the inevitable transformation of GPO. In part, GAO concluded that GPO\ndid not have an Enterprise Architecture at the time. The Chief Information Officer\nwas in the process of documenting GPO\xe2\x80\x99s business processes and supporting\nInformation Technology architecture (the \xe2\x80\x9cas-is\xe2\x80\x9d enterprise architecture).\n\n\n                                           8\n\x0cEnterprise Architecture programs establish roadmaps for as-is and target to-be\narchitectures, transition plans for affected agency management and investment\ndecisions coordinated across boards or committees. Such roadmaps include an\nagency's capital planning and investment control process.\n\n\n\n\n                                         9\n\x0cResults and Recommendations\n\nWhile GPO is making progress on modernization of its information systems and\nreplacing its unsustainable legacy systems, it could strengthen controls over\nmanagement of software licenses. We identified several areas where GPO could\npossible reduce costs by analyzing application and processor licenses, develop and\nimplement policies and procedures to facilitate management of software licenses ,\nand crosswalk Oracle products to GPO applications.\n\nProcessor vs. Application User License\n\nOracle products can be licensed by processor or by application user metric. Our\nreview revealed GPO pays for both application user and processor licenses for the\nsame Oracle products. If licensing by processor, all processors where the database\nis installed and/or running must be licensed. If licensing by application user, the\nnumber of licenses required is generally the total number of actual users accessing\nthe Database. Table 2 below is an example of paying for both a user license and a\nprocessor license associated with the same Oracle product. Our complete listing can\nbe found in Appendix B.\n    Table 2. Example of Both a User and Processor License for the Same Oracle Product\n                                                                                                         Processor\n    Oracle Product                              Number of\n                          License Type                                Price             Purchase Order    License\n    Description                                  Licenses\n                                                                                                          Charge\n    Oracle Diagnostics\n                          Licensed User            2500            $13,464.43              3014770         N/A\n    Pack for Database\n    Oracle Diagnostics\n                          Processor                  20             $2,276.55              3015200       $2,276.55\n    Pack\n    Oracle Diagnostics\n                          Processor                  2               $199.88               3015200       $199.88\n    Pack\n    Oracle Diagnostic\n                          Processor                  20             $3,140.22              3014770       $3,140.22\n    Pack for Database\n\n\nIn general, a product license agreement is a software license contract between Oracle and\nthe user\xe2\x80\x93GPO. The software license grants GPO specific rights to use the software. It\nalso allows Oracle to continue to own the software.\n\nLicense types or metrics are selected to reflect the functionality of the product.\nEssentially, a license metric determines how the software usage is being measured when\nOracle licenses a product to a customer. Oracle\xe2\x80\x99s technology products are primarily\nlicensed using an application user metric or a processor metric. An application user is\nused in environments where users and/or devices can be easily identified and counted.\n\nThe processor metric is mostly used in environments where the software users cannot be\neasily identified or counted, such as internet-based applications. The processor metric is\nalso used when it is more cost effective than application use licenses. All processors\nwhere the Oracle programs are installed and/or running must be licensed.\n\n\n\n                                                           10\n\x0cA comparison of the application user and processor licenses with Oracle products\nreveals that an opportunity may exist to reduce the number of licenses. In FY\n2013, GPO will pay $301,547 for the potential duplicate licenses.\n\nCommercial Host (Oracle on Demand for e-Passport)\n\nGPO has contracted for hosting services from Oracle Corporation located in Austin,\nTexas to maintain standby databases, a master repository, and the NetApp Snap\nMirror since November 2007. While we commend GPO for establishing a baseline\nof preparedness for a full range of potential emergencies ensuring the performance\nof its essential e-Passport functions, this approach may be a costly alternative to its\nalternate operation facility Manassas, Virginia and may not fully recognize that GPO\nmaintains 1 million blank passports in inventory at any given time. Purchase Order\n3014792 provides Oracle on Demand for the following three types of services\nrelated to e-Passport production.\n\n1. Standby Databases\n   \xe2\x80\xa2 Data Guard product used to provide each production (HQ & SPF) facility\n      with a \xe2\x80\x9cStandby Database\xe2\x80\x9d\n   \xe2\x80\xa2 2 Oracle Technology On Demand Windows Servers hosted in the Federal\n      Zone at the Oracle\xe2\x80\x99s Austin Data Center (ADC) communicate with the servers\n      at the production facilities.\n\n2. Master Repository\n   \xe2\x80\xa2 Master repository of Passport information that meets the 15 year regulatory\n     requirement 1 Production Oracle Technology On Demand Instance.\n   \xe2\x80\xa2 2 Oracle Technology On Demand Instances on Linux -1 production and 1\n     Test Instance.\n\n3. NetApp Snap Mirror: Filers located at each production (HQ & SPF) facility\n   communicate with a Filer in the Federal Zone at the ADC and push data for a\n   backup of their production data.\n\nIn FY 2013, GPO will pay $583,693 for this service. Our audit disclosed that\nadditional analysis is needed to fully understand alternate Oracle products that\nmay provide sufficient continuity of operations support, use of GPO\xe2\x80\x99s alternate\noperation facility in Manassas, Virginia, and varying quantities of passport\ninventory to sustain an interruption in the processing of e-Passports.\n\nNumber of Purchased User Licenses\n\nAn Oracle user license enables GPO employees to connect devices to Oracle\nproducts. In FY 2013, GPO purchased 2,500 Oracle user licenses under purchase\norder number 3014770. A comparison of the number of licenses purchased with\n\n\n\n                                          11\n\x0cthe actual number of GPO employees revealed an excess number of licenses. As of\nOctober 10, 2012, GPO\xe2\x80\x99s headcount totaled 1,879 employees.\n\nOur analysis disclosed GPO had more user licenses than actual users. For example,\nbetween December 2012 and February 2013 there were 731 users that regularly\nlogon to GBIS. Mythics told us that the 2,500 Oracle user licenses represented the entire\nGPO employee count at the time of the initial purchase several years ago. Mythics told\nus they do not have the GPO requirements detailing the specific need for 2,500 users and\nlicenses.\n\nA comparison between the 2,500 user licenses and the 731 users utilizing Oracle\nGBIS products revealed that additional analysis may be needed. We also noted, an\nOracle license would be required for all WebTA users.\n\nNumber of Purchased Processor Licenses\n\nLicensing by processor requires that all processors where the database is installed\nand/or running must be licensed. We were told that FDSys is the only external\nfacing system using Oracle products within GPO. Therefore, the processor licenses\nneeded for FDSys totals six production processors.\n\nAs depicted in Table 3 below, our review of Oracle purchase orders disclosed GPO\nhas the rights to run the following processors for external users:\n\n\n\n\n                                          12\n\x0cTable 3. Internal Processor Licenses by Purchase Order and Product\nPurchase                                                                            License    Number of     License\n Order                            Oracle Product Description                         Type      Processors    Charge\n3015200     Oracle 9i Database, Enterprise Edition                                 Processor       20        $77,052.34\n            Oracle Partitioning                                                    Processor       20        $19,263.09\n            Oracle Diagnostics Pack                                                Processor       20          $2,276.55\n            Oracle Tuning Pack                                                     Processor       20          $1,926.32\n            Oracle Change Management Pack                                          Processor       20          $1,926.32\n            Oracle Internet Application Server, Enterprise Edition                 Processor       20        $39,176.98\n            Oracle iStore                                                          Processor       10        $48,157.70\n            Configurator                                                           Processor        8       $115,578.52\n            iSupport                                                               Processor        4        $19,263.08\n            Oracle Database, Enterprise Edition                                    Processor        2          $7,995.13\n            Oracle Diagnostics Pack                                                Processor        2           $199.88\n            Oracle Partitioning                                                    Processor        2          $1,998.78\n3014770     Oracle Audit Vault Server Processor                                    Processor        4        $10,467.43\n            Oracle Audit Vault Collection Agent Listener                           Processor       40          $6,280.45\n            Oracle Configuration Management Pack for Database                      Processor        8          $1,256.09\n            Oracle Provisioning Pack for Database                                  Processor        8          $1,256.09\n            Oracle Advanced Security                                               Processor        8          $4,186.97\n            Oracle Real Application Clusters                                       Processor        8          $8,373.95\n            Oracle Label Security                                                  Processor        8          $4,186.97\n            Oracle Internet Application Server Enterprise Edition                  Processor        8        $16,149.75\n            Oracle Diagnostic Pack for Internet Application Server                 Processor        8          $1,354.49\n            Oracle Configuration Management Pack for Internet Application Server   Processor        8          $1,354.49\n            Oracle Database Enterprise Edition                                     Processor       20        $41,869.72\n            Oracle Diagnostic Pack for Database                                    Processor       20          $3,140.22\n            Oracle Tuning Pack for Database                                        Processor       20          $3,140.22\n            Oracle Change Management Pack for Database                             Processor       20          $3,140.22\n            Oracle Configuration Management Pack for Database                      Processor       20          $3,140.22\n            Oracle Provisioning Pack for Database                                  Processor       20          $3,140.22\n            Oracle Internet Application Server Enterprise Edition                  Processor       20        $40,374.38\n            Oracle Diagnostic Pack for Internet Application Server                 Processor       20          $4,740.70\n            Oracle Configuration Management Pack for Internet Application Server   Processor       20          $4,740.70\nTotal                                                                                             436       $497,107.97\n\n\n\n\n                                                                13\n\x0cTable 4 below depicts the information GPO\xe2\x80\x99s Enterprise Architecture provided\nregarding internal Oracle installations and processor usage at GPO. We were told\nthat some information may be missing.\n    Table 4. Internal Processor Usage at GPO\n                                                        Production/Test/Development   Number\n                            Hostname                             /Unknown             of CPUs\n    GPO.GOV\\OFREACFORA (172.19.4.30)                              Unknown                2\n    GPO.GOV\\HQMSONBSDB01 (hqmsonbsdb01.gpo.gov)                Production (old)          2\n    GPO.GOV\\HQMSONBSDB02 (hqmsonbsdb02.gpo.gov)                Production (old)          2\n    GPO.GOV\\HQMSORAMC01 (hqmsoramc01.gpo.gov)                     Unknown                2\n    GPO.GOV\\HQMSORAMC01 (hqmsoramc01.gpo.gov)                     Unknown                2\n    GPO.GOV\\HQMSONBSFTP01 (hqmsonbsftp01.gpo.gov)                 Unknown                2\n    GPO.GOV\\HQMSADCM1714 (webta.gpo.gov)                         Production              2\n    GPO.GOV\\HQMSDDCM1716 (hqmsddcm1716.gpo.gov)                  Production              2\n    GPO.GOV\\HQMSPROBE01 (172.16.41.12)                           Production              2\n    GPO.GOV\\HQMSPROBETEST (162.140.96.124)                          Test                 2\n    GPO.GOV\\HQMSORACLETST01 (162.140.96.211)                        Test                 2\n    GPO.GOV\\HQVMONBSTEST01 (hqvmonbstest01.gpo.gov)                 Test                 1\n    GPO.GOV\\HQVMWEBTADB (162.140.96.217)                          Unknown                1\n    GPO.GOV\\HQVMWEBTADB1 (hqvmwebtadb1.gpo.gov)                   Unknown                1\n    GPO.GOV\\HQMSORACLECLST2 (162.140.96.77)                         Test                 2\n    DATACENTER\\FMSNFC02 (fmsnfc02.datacenter.gpo.gov)            Production              2\n    DATACENTER\\FMSNFC02 (fmsnfc02.datacenter.gpo.gov)            Production              2\n    GPO.GOV\\HQVMADCM1317 (172.16.43.101)                          Unknown                1\n    GPO.GOV\\HQVMENTARCH1 (172.16.43.93)                         Development              1\n    GPO.GOV\\HQVMMSPERQ (hqvmmsperq.gpo.gov)                       Unknown                2\n    GPO.GOV\\HQMSBCDMFR25 (hqmsbcdmfr25.ofr.gpo.gov)               Unknown                2\n    GPO.GOV\\HQMSBCDMFR24 (hqmsbcdmfr24.gpo.gov)                     Test                 2\n    GPO.GOV\\OFREDCORA (ofredcora.ofr.gpo.gov)                    Production              2\n    GPO.GOV\\HQVMDC51A (hqvmdc51a.gpo.gov)                         Test (old)             1\n    GPO.GOV\\HQVMDC51 (hqvmdc51.gpo.gov)                        Production (old)          1\n    GPO.GOV\\HQMSNW70416 (hqmsnw70416.main.gpo.gov)                Unknown                2\n    GPO.GOV\\HQVMMSPQDB (172.16.43.172)                        Production (new)           2\n    GPO.GOV\\HQMSONBSDB04 (hqmsonbsdb04.gpo.gov)                  Test (new)              2\n\n    FDsys\n    Hostname                                            Production/Test/Development   Number\n                                                        /Unknown                      of CPUs\n    hqlxfdsyspcmsdb1.gpo.gov                                     Production              2\n    hqlxfdsyspcmsdb2.gpo.gov                                     Production              2\n    acflxfdsysdb1.gpo.gov                                           COOP                 2\n    hqlxfdsystdb1.test.fdsys.gpo.gov                                Test                 2\n    hqlxfdsystdb2.test.fdsys.gpo.gov                                Test                 2\n    hqlxfdsysddb1.gpo.gov                                       Development              2\n    hqlxfdsysddb2.gpo.gov                                       Development              2\n\n\n\n\n                                                 14\n\x0c     e-Passports\n     Hostname                                 Production/Test/Development   Number\n                                              /Unknown                      of CPUs\n     hqepassprododa1                                   Production              6\n     hqepassprododa2                                   Production              6\n     hqepasstestoda1                                   Production              6\n     hqepasstestoda2                                      Test                 6\n     hqmsencp01                                        Production              16\n     hqmsencp02                                        Production              16\n     hqmsoem01                                         Production              8\n     spfepassoda1                                      Production              6\n     spfepassoda2                                      Production              6\n     spfmsencp01                                       Production              16\n     spfmsoem01                                        Production              8\n     Total                                                                    163\n\n\nA comparison between the 436 internal processor licenses and the 163 internal\nprocessor usage at GPO reveals additional analysis may be need.\n\nStandard Operating Procedures Should be Developed and Software Inventory\nShould be Cross Walked to GPO Applications\n\nIn part, the above conditions occurred because standard operating procedures were\nnot developed and software inventory was not cross walked to GPO applications.\n\nSoftware License Management Procedures\n\nGPO Directive 825.33B, \xe2\x80\x9cInformation Technology Security Program Statement of\nPolicy\xe2\x80\x9d, dated May 24, 2011, sets forth GPO\xe2\x80\x99s policy regarding software license\nmanagement. GPO\xe2\x80\x99s policy states the Chief Information Officer will establish\noperations and computer support as a part of the security program. The directive\nalso states that \xe2\x80\x9coperations planning and computer support will address loading\nand executing new software; use of system utility software; authorizations required\nfor system changes and software license management.\xe2\x80\x9d\n\nHowever, GPO has not yet developed procedures for ensuring this is carried out. For\nexample, among other things, GPO does not cross walk software licensing\ninformation. In addition, GPO does not have a software management tool that\nperforms license tracking and inventory GPO-wide.\n\nGPO is responsible for developing and implementing an enterprise-level plan for\nconducting periodic audit checks to ensure it is in compliance with software license\nagreements. Executive Order 13103, Computer Software Piracy, requires that\nFederal agencies establish procedures to ensure compliance with established\ncomputer software licensing laws and regulations. Executive Order 13103 was\nsigned by the President on September 30, 1998. It directed, among other things, that\neach executive agency adopt procedures to ensure that it does not acquire,\n\n                                        15\n\x0creproduce, distribute, or transmit computer software in violation of applicable\ncopyright laws; and each executive agency establish procedures to ensure that it\nuses only computer software not in violation of applicable copyright laws.\n\nBy not having procedures in place to support its policy, GPO is at risk that it will not\nbe in compliance with software licensing terms and/or may purchase excess\nlicenses and products.\n\nInventory of Oracle COTS Software Products\n\nGenerally, GPO maintains and updates its systems inventory, including agency and\ncontractor systems. While, GPO maintains some Oracle products in its inventory, a\ndetailed inventory of Oracle products and their support of GPO programs and\noperations (i.e. a crosswalk from Oracle products to GPO applications) was missing.\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nagencies have in place an information systems inventory. According to FISMA, the\nhead of each agency shall develop and maintain an inventory of major information\nsystems operated by or under the control of such agency. The identification of\ninformation systems in an inventory under this subsection shall include an\nidentification of the interfaces between each such system and all other systems or\nnetworks, including those not operated by or under the control of the agency. The\ninventory should contain the following information for each piece of hardware and\nsoftware in the organization:\n\n\xe2\x80\xa2   Description of asset\n\xe2\x80\xa2   Manufacturer\n\xe2\x80\xa2   Model number\n\xe2\x80\xa2   Date of purchase or lease\n\xe2\x80\xa2   Date of deployment\n\xe2\x80\xa2   Date of last upgrade performed\n\xe2\x80\xa2   Record of service\n\xe2\x80\xa2   Maintenance and repairs performed\n\xe2\x80\xa2   Customization or modifications performed\n\xe2\x80\xa2   Disposition (recycle, disposal, resale)\n\nAlso, GPO\xe2\x80\x99s current inventory did not identify interfaces between Oracle\ncontractor-managed systems and GPO internal networks as required by FISMA.\nUnidentified Oracle products and interfaces could pose significant risks to GPO\noperations if not properly evaluated and mitigated by appropriate compensating\ncontrols. As a result, GPO cannot be sure that it has a complete and accurate\ninventory of its systems.\n\n\n\n\n                                           16\n\x0cRecommendations\n\nTo mitigate risks of potentially investing in duplicative licenses, the OIG\nrecommended that the Chief Information Officer:\n\n   1. Develop and implement processes, policies and procedures to address\n      goals and objectives of software license management program.\n\nManagement\xe2\x80\x99s Response\n\nConcur. The GPO Office of Information, Technology, and Systems (IT&S) will\ndocument and assign license management duties for each of its component divisions\nand a single IT&S lead will be established to monitor and coordinate license\nmanagement activities while validating planned renewals or purchase (see\nAppendix C).\n\nEvaluation of Management\xe2\x80\x99s Response\n\nManagement\xe2\x80\x99s planned action is responsive to the recommendation. The\nrecommendation is resolved but will remain open for reporting purposes pending\nthe completion of the proposed action.\n\n   2. Conduct a cost effectiveness assessment of the current Oracle software\n      license and Oracle products vs. GPO requirements to determine the\n      correct license and product mix and make the necessary adjustments.\n\nManagement\xe2\x80\x99s Response\n\nConcur. IT&S will conduct a license audit for all Oracle products.\n\nEvaluation of management\xe2\x80\x99s Response\n\nManagement\xe2\x80\x99s planned action is responsive to the recommendation. The\nrecommendation is resolved but will remain open for reporting purposes pending\nthe completion of the proposed action.\n\n   3. Revise the current inventory listing to include a crosswalk from major\n      Oracle COTS software products to GPO applications.\n\nManagement\xe2\x80\x99s Response\n\nConcur. IT&S will develop a crosswalk to illustrate how each licensed feature of the\nOracle product line maps to usage by the Commercial Off-The-Shelf and custom\ndeveloped applications to ensure that GPO is not paying for unnecessary features.\n\n\n                                           17\n\x0cEvaluation of Management\xe2\x80\x99s Response\n\nManagement\xe2\x80\x99s planned action is responsive to the recommendation. The\nrecommendation is resolved but will remain open for reporting purposes pending\nthe completion of the proposed action.\n\n\n\n\n                                       18\n\x0cAppendix A - Objectives, Scope, and Methodology\n\nWe performed the audit from December 2012 through March 2013 at the GPO\nCentral Office in Washington, D.C. We conducted the audit in accordance with\ngenerally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence that will\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nObjectives\n\nWe conducted this audit to identify any major instances of potential duplication and\noverlap of Oracle modules and licenses present and if so, what controls could be\nstrengthened to mitigate the condition.\n\nScope and Methodology\n\nTo meet our objectives we performed the following:\n\n   \xe2\x80\xa2   Reviewed Federal and GPO software licensing policies and procedures\n       including the Information Technology Management Reform Act of 1996; OMB\n       Circular A-130; OMB Circular A-123; Federal Chief Information Officer\n       Council publication: Executive Order 13103; GAO\xe2\x80\x99s Standards for Internal\n       controls in the Federal Government; GPO Directive 705.31; GPO Directive\n       825.33B; and applicable standard operating procedures.\n\n   \xe2\x80\xa2   We interviewed key management officials from the GPO Office of Finance and\n       Administration, the Office of Acquisitions, the Office of the Chief Information\n       Officer, and the Security and Intelligent Documents Unit responsible for\n       establishing and monitoring the acquisitions process; and reviewing and\n       approving the purchases.\n\n   \xe2\x80\xa2   We reviewed prior OIG and GAO audit reports.\n\n   \xe2\x80\xa2   We analyzed the number of processor and user application licenses,\n       commercial hosting activities, conducted an Oracle access utilization\n       analysis, and processor data.\n\n   \xe2\x80\xa2   Examined GPO\xe2\x80\x99s Oracle purchase order numbers 3014792, 3014770,\n       3015018, and 3015200 to identify Oracle products and license agreements.\n\n\n\n\n                                         19\n\x0cAppendix A - Objectives, Scope, and Methodology\n\n\nManagement Controls Reviewed\n\nWe determined that the following internal controls were relevant to our audit\nobjective:\n\nProgram Operations \xe2\x80\x93 Policies and procedures management implemented to\nreasonably ensure that software license management program met GPO\xe2\x80\x99s\nobjectives.\n\nValidity and Reliability of Data \xe2\x80\x93 Policies and procedures management implemented\nto reasonably ensure that valid and reliable data are obtained, maintained, and fairly\ndisclosed in reports (See Computer-generated Data below).\n\nCompliance with Laws and Regulations \xe2\x80\x93 Policies and procedures management\nimplemented to reasonably ensure that resource use is consistent with laws and\nregulations.\n\nThe details of our examination of management controls, the results of our\nexamination, and noted management control deficiencies are in the report narrative.\nImplementing the recommendations in this report should improve those\nmanagement control deficiencies.\n\nComputer-generated Data\n\nWe relied on computer-generated data during this audit. Specifically, we relied on\nthe internal processor usage report provided by GPO. We assessed the reliability of\nthe data but did not test general system and application controls. In order to test\nthe reliability of the data on the report, we attempted to compare the host names\nwith Oracle applications and processor licenses. As a result of GPO\xe2\x80\x99s lack of\nsupporting documentation, for the most part we were unable to perform those tests.\nTherefore, we determined that the data were unreliable but nevertheless usable to\nmeet our audit objectives and support our conclusions.\n\n\n\n\n                                         20\n\x0c   Appendix B \xe2\x80\x93 Products with Both Processor and User Licenses\n\n                                 License     Number of                 Purchase      Processor\nOracle Product Description                                  Price\n                                 Type         Licenses                  Order     License Charge\n                                 Licensed\nOracle Advanced Security                       2500      $30,049.89    3014770\n                                 User\nOracle Advanced Security         Processor      8         $4,186.97    3014770      $4,186.97\nOracle Change Management\n                                 Processor      20        $1,926.32    3015200      $1,926.32\nPack\nOracle Change Management         Licensed\n                                               2500       $9,306.14    3014770\nPack for Database                User\nOracle Change Management\n                                 Processor      20        $3,140.22    3014770      $3,140.22\nPack for Database\nOracle Configuration\n                                 Licensed\nManagement Pack for                            2500       $9,189.70    3014770\n                                 User\nDatabase\nOracle Configuration\nManagement Pack for              Processor      8         $1,256.09    3014770      $1,256.09\nDatabase\nOracle Configuration\nManagement Pack for              Processor      20        $3,140.22    3014770      $3,140.22\nDatabase\nOracle Configuration\n                                 Licensed\nManagement Pack for                            2500       $7,850.58    3014770\n                                 User\nInternet Application Server\nOracle Configuration\nManagement Pack for Internet     Processor      8         $1,354.49    3014770      $1,354.49\nApplication Server\nOracle Configuration\nManagement Pack for Internet     Processor      20        $4,740.70    3014770      $4,740.70\nApplication Server\nOracle Database Enterprise       Licensed\n                                               2500      $134,081.12   3014770\nEdition                          User\nOracle Database Enterprise\n                                 Processor      20       $41,869.72    3014770     $41,869.72\nEdition\nOracle Database, Enterprise\n                                 Processor      2         $7,995.13    3015200      $7,995.13\nEdition\nOracle 9i Database, Enterprise\n                                                         $77,052.34                $77,052.34\nEdition                          Processor      20\nOracle Diagnostics Pack for      Licensed\n                                               2500       $7,850.58    3014770\nInternet Application Server      User\nOracle Diagnostic Pack for\n                                 Processor      8         $1,354.49    3014770      $1,354.49\nInternet Application Server\nOracle Diagnostic Pack for\n                                 Processor      20        $4,740.70    3014770      $4,740.70\nInternet Application Server\n\n\n                                                21\n\x0c    Appendix B \xe2\x80\x93 Products with Both Processor and User Licenses\n\n                               License     Number of                Purchase      Processor\nOracle Product Description                               Price\n                               Type         Licenses                 Order     License Charge\nOracle Diagnostics Pack for    Licensed\n                                             2500      $13,464.43   3014770\nDatabase                       User\nOracle Diagnostics Pack        Processor      20       $2,276.55    3015200      $2,276.55\nOracle Diagnostics Pack        Processor       2        $199.88     3015200       $199.88\nOracle Diagnostic Pack for\n                               Processor      20       $3,140.22    3014770      $3,140.22\nDatabase\nOracle Identity and Access     Licensed\n                                             2500      $10,661.33   3014770\nManagement Suite               User\nOracle Identity Management\n                               Connector      1        $2,093.48    3014770      $2,093.48\nConnector - CA Top Secret\nOracle Identity Management\n                               Connector      1        $2,093.48    3014770      $2,093.48\nConnector \xe2\x80\x93E-Business\nOracle Internet Application    Licensed\n                                             2500      $76,567.58   3014770\nServer Enterprise Edition      User\nOracle Internet Application\n                               Processor      8        $16,149.75   3014770     $16,149.75\nServer Enterprise Edition\nOracle Internet Application\n                               Processor      20       $40,374.38   3014770     $40,374.38\nServer Enterprise Edition\nOracle Internet Application\n                               Processor      20       $39,176.98   3015200     $39,176.98\nServer, Enterprise Edition\n                               Licensed\nOracle Label Security                        2500      $30,049.89   3014770\n                               User\nOracle Label Security          Processor      8        $4,186.97    3014770      $4,186.97\n                               Licensed\nOracle Partitioning                          2500      $31,989.90   3014770\n                               User\nOracle Partitioning            Processor      20       $19,263.09   3015200     $19,263.09\nOracle Partitioning            Processor       2       $1,998.78    3015200      $1,998.78\nOracle Provisioning Pack for   Licensed\n                                             2500      $9,189.70    3014770\nDatabase                       User\nOracle Provisioning Pack for\n                               Processor      8        $1,256.09    3014770      $1,256.09\nDatabase\nOracle Provisioning Pack for\n                               Processor      20       $3,140.22    3014770      $3,140.22\nDatabase\nOracle Real Application        Licensed\n                                             2500      $60,100.23   3014770\nClusters                       User\nOracle Real Application\n                               Processor      8        $8,373.95    3014770      $8,373.95\nClusters\nOracle Tuning Pack             Processor      20       $1,926.32    3015200      $1,926.32\n\n\n\n\n                                              22\n\x0c   Appendix B \xe2\x80\x93 Products with Both Processor and User Licenses\n\n                             License                             Purchase   Processor License\nOracle Product Description               Licenses      Price\n                             Type                                 Order          Charge\nOracle Tuning Pack for       Licensed\n                                          2500        $9,840     3014770\nDatabase                     User\nOracle Tuning Pack for\n                             Processor     20        $3,140.22   3014770       $3,140.22\nDatabase\n                                                                  TOTAL       $301,547.75\n\n\n\n\n                                                23\n\x0cAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response\n\n\n\n\n                             24\n\x0cAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response\n\n\n\n\n                             25\n\x0cAppendix D - Status of Recommendations\n\n\n Recommendation           Resolved   Unresolved   Open/ECD*   Closed\n       1                     x                     9/30/13\n       2                     x                     9/30/13\n       3                     x                     9/30/13\n*Estimated Completion Date.\n\n\n\n\n                                        26\n\x0cAppendix E \xe2\x80\x93 Final Report Distribution\n\nActing Public Printer\nAssistant Public Printer, Operations\nGeneral Counsel\n\n\n\n\n                                       27\n\x0cMajor Contributors to the Report\n\nDaniel Rose, Lead Information Technology Specialist\n\n\n\n\n                                       28\n\x0c"